Incorrect default permissions in Couchbase Server - CVE-2020-9039
Published: February 22, 2020 / Updated: August 8, 2020
Vulnerability identifier: #VU34813
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2020-9039
CWE-ID: CWE-276
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Couchbase
Affected software:
Couchbase Server
Couchbase Server
Detailed vulnerability description
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
Couchbase Server 4.0.0, 4.1.0, 4.1.1, 4.5.0, 4.5.1, 4.6.0 through 4.6.5, 5.0.0, 5.1.1, 5.5.0 and 5.5.1 have Insecure Permissions for the projector and indexer REST endpoints (they allow unauthenticated access).The /settings REST endpoint exposed by the projector process is an endpoint that administrators can use for various tasks such as updating configuration and collecting performance profiles. The endpoint was unauthenticated and has been updated to only allow authenticated users to access these administrative APIs.
How to mitigate CVE-2020-9039
Install update from vendor's website.